diff options
author | Nick Clifton <nickc@redhat.com> | 2016-08-30 13:38:54 +0100 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2016-08-30 13:38:54 +0100 |
commit | 00927233079d1d65826fd611019e9167706b9ec6 (patch) | |
tree | c6807426548726e78bb0c0dafde5a25678189d33 | |
parent | 8941017bc0226b60ce306d5271df15820ce66a53 (diff) | |
download | gdb-00927233079d1d65826fd611019e9167706b9ec6.zip gdb-00927233079d1d65826fd611019e9167706b9ec6.tar.gz gdb-00927233079d1d65826fd611019e9167706b9ec6.tar.bz2 |
Fix more potential seg-faults in gprof.
PR gprof/20499
* corefile.c (num_of_syms_in): Return an unsigned int.
(core_create_syms_from): Catch a possible integer overflow
computing the argument to xmalloc. Also allow for the possibility
that an integer overflow in num_of_syms_in means that less space
has been allocated than expected.
-rw-r--r-- | gprof/ChangeLog | 9 | ||||
-rw-r--r-- | gprof/corefile.c | 17 |
2 files changed, 24 insertions, 2 deletions
diff --git a/gprof/ChangeLog b/gprof/ChangeLog index 1081e8f..e5afbf6 100644 --- a/gprof/ChangeLog +++ b/gprof/ChangeLog @@ -1,3 +1,12 @@ +2016-08-30 Nick Clifton <nickc@redhat.com> + + PR gprof/20499 + * corefile.c (num_of_syms_in): Return an unsigned int. + (core_create_syms_from): Catch a possible integer overflow + computing the argument to xmalloc. Also allow for the possibility + that an integer overflow in num_of_syms_in means that less space + has been allocated than expected. + 2016-08-23 Nick Clifton <nickc@redhat.com> PR gprof/20499 diff --git a/gprof/corefile.c b/gprof/corefile.c index 2a433a6..e165da2 100644 --- a/gprof/corefile.c +++ b/gprof/corefile.c @@ -490,11 +490,11 @@ static char name[BUFSIZE]; /* Return number of symbols in a symbol-table file. */ -static int +static unsigned int num_of_syms_in (FILE * f) { char type; - int num = 0; + unsigned int num = 0; while (!feof (f) && fgets (buf, BUFSIZE - 1, f)) { @@ -531,6 +531,13 @@ core_create_syms_from (const char * sym_table_file) fprintf (stderr, _("%s: file `%s' has no symbols\n"), whoami, sym_table_file); done (1); } + /* PR 20499 - prevent integer overflow computing argument to xmalloc. */ + else if ((symtab.len * (unsigned) sizeof (Sym)) < symtab.len) + { + fprintf (stderr, _("%s: file `%s' has too many symbols: %u\n"), + whoami, sym_table_file, symtab.len); + done (1); + } symtab.base = (Sym *) xmalloc (symtab.len * sizeof (Sym)); @@ -564,6 +571,12 @@ core_create_syms_from (const char * sym_table_file) max_vma = MAX (symtab.limit->addr, max_vma); ++symtab.limit; + /* PR 20499 - it is theoretically possible that there are so many + symbols in the file that the scan in num_of_syms_in() wrapped + around. So be paranoid here and exit the loop if we have + reached the end of our allocated table. */ + if ((unsigned int)(symtab.limit - symtab.base) == symtab.len) + break; } fclose (f); |